Introduction
The UK Government can assess whether another country, territory or an international organisation provides an adequate level of data protection compared to the UK. An adequacy assessment may cover either general processing or law enforcement processing, or both. The Government must consider a range of factors, including that sending personal data to that country, territory or international organisation does not undermine people’s protections.
Some countries may have a substantially similar level of data protection to the UK. In these cases, the Government can make UK adequacy regulations. This allows organisations to send personal data to that country, territory or international organisation if they wish.
We support the Government undertaking law enforcement adequacy assessments and making regulations. This enables personal data to flow freely between UK competent authorities1 and their partners in other countries and international organisations where it is necessary for a law enforcement purpose2. We do this by providing independent assurance on the process followed and the factors that government officials take into consideration. This allows the Secretary of State to make an informed and reasonable decision. By doing this work once for everyone, the Government and the ICO are reducing the burden of compliance on organisations that would otherwise have to put alternative measures in place.
One of our priorities for this year, as set out in our ICO25 strategic plan3, is to “enable international data flows through regulatory certainty”. This includes our work on adequacy assessments. We provided advice to the Government during its assessment of the data protection framework for law enforcement processing in the Bailiwick of Guernsey (“Guernsey”). Now that the Government has laid the regulations, we are publishing this Opinion to set out our views on the process and the Government’s conclusion.
Key finding
The Information Commissioner considers that it was reasonable for the Secretary of State (in this case, the Home Secretary) to conclude that Guernsey provides an adequate level of data protection for law enforcement processing and to lay regulations to that effect.
About this Opinion
Who is this Opinion for?
This Opinion is primarily for members of the UK Parliament to consider alongside the UK adequacy regulations laid by the Secretary of State.
It is also of interest to competent authorities that already transfer personal data to Guernsey for law enforcement purposes or who are considering doing so. Although these regulations do not apply to general processing4, the wider public and data protection professionals may also be interested.
What is an adequacy assessment?
The UK’s data protection laws set out a framework for the responsible use of personal data by competent authorities for law enforcement purposes. People may lose this protection when competent authorities transfer their personal data to counterparts in other countries or to international organisations5. This is why the Data Protection Act 2018 (“DPA 2018”) has specific rules on how to make international transfers of personal data. These rules mean competent authorities must put in place continuing protections for people’s personal data when transferring it to another jurisdiction, or one of a limited number of exemptions must apply.
One way that UK competent authorities can transfer personal data to another jurisdiction is by relying on UK adequacy regulations, made by the Secretary of State. The Secretary of State can assess a country, territory, international organisation or a particular sector in a country or territory and decide if its legal framework offers a similar level of data protection to the UK.
Section 74A of the DPA 2018 contains a list of criteria the Secretary of State must consider when carrying out an adequacy assessment.
Criteria to be considered in an adequacy assessment6
4. When assessing the adequacy of the level of protection […], the Secretary of State shall, in particular, take account of the following elements:
a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the Commissioner; and
c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
If the Secretary of State decides the country, territory or international organisation, or a particular sector in a country or territory, provides an adequate level of data protection after considering all the above criteria, they can make regulations to give legal effect to their decision.
In general, adequacy regulations for law enforcement processing allow UK competent authorities to transfer personal data to a competent authority located in another country or to a relevant international organisation7 where it is necessary for a law enforcement purpose and the relevant conditions have been met8. The transfer must adhere to the particular scope of those regulations.
What is the Commissioner’s role in adequacy assessments?
The Secretary of State must consult the Commissioner before making regulations under the DPA 20189.
The Secretary of State and the Information Commissioner entered into a Memorandum of Understanding (MoU) on the role and responsibilities of the ICO concerning the Home Office’s work on UK adequacy assessments and regulations10.
As set out in the MoU, the Home Office consults the Commissioner at various stages in their process. The Commissioner offers advice and comments on the information provided. However, the Commissioner does not make his own assessment of the adequacy of another country, territory or international organisation. He provides an independent assurance on the process followed and the factors that Home Office officials take into consideration. This allows the Secretary of State to make an informed and reasonable decision.
The MoU also says that the Commissioner may provide an Opinion to Parliament, including on the Home Office’s process and factors they take into account. These Opinions recognise that different countries have different ways of ensuring adequate levels of data protection.
Assessment of Guernsey
The Home Office’s assessment considered the level of data protection in Guernsey provided by the Data Protection (Law Enforcement and Related Matters (Bailiwick of Guernsey) Ordinance 2018.
The Home Office obtained information from:
- the legislation itself;
- other desk-based research; and
- discussions and correspondence with the States of Guernsey.
Home Office officials provided their analysis of the data protection framework for law enforcement processing in Guernsey. This included details of the relevant legislation, case-law and examples of the practical implementation of the law for review. Home Office officials responded positively to the ICO’s suggestions of areas to clarify and explored these further. This ensures the final assessment is based on an appropriate range and depth of relevant factual information. The Commissioner gives this Opinion based on that information and has provided advice to the Secretary of State.
The Home Office’s assessment considered all the criteria for adequacy listed in section 74A of the DPA 2018 to the appropriate extent.
The Commissioner considers that it was reasonable for the Secretary of State to conclude that Guernsey provides an adequate level of data protection and to lay regulations to that effect.
The Commissioner is therefore pleased to offer Parliament his assurance as it considers the regulations.
Review and ongoing monitoring
The Secretary of State must undertake a review of the level of data protection in Guernsey every four years from the date the regulations come into force.
The Secretary of State is also required to monitor, on an ongoing basis, developments in a country, territory or international organisation which is the subject of UK adequacy regulations.
If the Secretary of State becomes aware of a significant change in the level of data protection that applies to personal data transferred from the UK as a result of either the review or ongoing monitoring obligations, the Secretary of State must amend or revoke the regulations to the extent necessary.
As part of the Commissioner’s role in the consultation process, he considered whether any of the information reviewed highlighted particular aspects that the Secretary of State should monitor. He concluded there were no aspects beyond monitoring general developments in Guernsey’s laws and practices.
In the course of his duties, the Commissioner, or his staff, may become aware of information that suggests Guernsey no longer provides adequate data protection. Should that happen, he will inform the Secretary of State and may recommend they undertake a review of the regulations. Depending on the circumstances, he may revise this Opinion accordingly.
What is the status of this Opinion?
The Commissioner has several powers and functions around UK adequacy assessments. This includes paragraph 1(1)(c) of schedule 13 to the DPA 2018. This gives the Commissioner a duty to advise the UK Parliament and Government, amongst others, on legislative and administrative measures. A key part of this links to the protection of people’s rights and freedoms relating to the processing of personal data under Part 3 of the DPA 2018. UK adequacy regulations fall within this remit.
There is also paragraph 2(d) of schedule 13 to the DPA 2018 which allows the Commissioner to issue Opinions to Parliament, the Government, other institutions and bodies and the public. They can cover any issue about the protection of personal data. The Commissioner can issue Opinions either on his own initiative or on request.
This Opinion sets out the Commissioner’s view of the adequacy assessment process followed, and factors taken into consideration by the Secretary of State for Guernsey under section 74A of the DPA 2018.
1 A competent authority is one listed in schedule 7 of the DPA 2018, or any other person if, and to the extent that, they have statutory functions for any of the law enforcement purposes.
2 The law enforcement purposes are the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
4 The Bailiwick of Guernsey is already adequate for personal data transferred under the UK General Data Protection Regulation. See paragraph 5(2)(d) of Schedule 21 to the DPA 2018.
5 An international organisation is defined by the DPA 2018 as “an organisation and its subordinate bodies governed by international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.”
7 A relevant international organisation is defined by the DPA 2018 as an international organisation that carries out functions for any of the law enforcement purposes.
8 Section 73(4), DPA 2018
9 Section 182(2), DPA 2018
10 Memorandum of Understanding (MoU) on the role of the ICO in relation to new UK law enforcement adequacy assessments.